Healthcare’s Guide to Vulnerability Management

What Do Healthcare Leaders Think about Vulnerability Management?

Healthcare organizations are under mounting pressure to manage cybersecurity vulnerabilities across an increasingly complex technology ecosystem. Traditional IT environments now coexist with cloud platforms, cyber-physical systems, and thousands of network-connected medical devices—many of which were never designed with modern cybersecurity threats in mind. 

CHIME Insights  

To better understand how healthcare leaders are managing this reality, members of the College of Healthcare Information Management Executives (CHIME) recently participated in a survey focused on vulnerability management across IT and medical/IoT environments. Their responses reveal both progress and persistent gaps—and point clearly to the need for a more unified approach. The data below reflect the survey results conducted by CHIME.  

Respondents included CIOs, CISOs, clinical and digital leaders from ambulatory organizations, and large multi-hospital systems.

The Healthcare Cyber Risk Landscape

Healthcare organizations manage vulnerabilities across a rapidly expanding ecosystem:

• • • • IT infrastructure
      • Cloud environments
      • Cyber-physical systems
      • Connected medical devices

Many technologies were not built for today’s threat landscape—creating risk to patient safety, operations, and compliance.

Top Vulnerability Management Challenges

Healthcare leaders report:

• • • • Limited budget and staffing
      • Outdated or unsupported systems
      • High volumes of vulnerabilities
      • Difficulty prioritizing risk
      • Patch testing and deployment delays

The imbalance: vulnerabilities are discovered faster than they can be remediated.

Scanning Alone Isn’t Enough

Most organizations scan:

• • • • Weekly
      • Quarterly
      • Continuously

Reality:
More scanning does not equal less risk if findings aren’t actionable or aligned with clinical constraints.

The Biggest Gap: IT & Medical Devices

Only 36% have fully integrated vulnerability programs.

Key barriers:

• • • • Medical device patching limitations
      • No unified asset inventory
      • IT and clinical engineering silos
      • Limited remediation resources

Confidence Is Cautious

• • • • 84% are somewhat confident
      • Only 8% are very confident

Programs may work under normal conditions—but are stressed by zero-days, ransomware, and urgent disclosures.

What Will Close the Gap

Healthcare leaders say prioritizing these actions will improve outcomes

• • • • Look to create a single, unified asset inventory
      • Unify vulnerability management with tools spanning IT and medical devices
      • Create a formal cross-department governance to educate on risk and risk remediation actions
      • This problem is not declining, so find a way to optimize and increase remediation resource effectiveness
      • Collectively work for greater vendor accountability

Status Quo Can’t Keep Up with Vulnerability Exploitation  

Common Vulnerabilities and Exposures (CVE) Growth

Published CVEs rose by roughly 20% from 2024 to 2025, expanding the attack surface and increasing the workload for vulnerability management teams.

This increase reflects broader disclosure participation, expanded CNA coverage, and backlog reductions in scoring pipelines. Counts may vary due to withdrawn CVEs and NVD timing differences.

CVE Numbering Authority (CNA) Growth

CVE Numbering Authorities (CNAs) are approved organizations that assign CVE IDs within defined technology scopes. In 2025, the global CNA community grew by approximately 6%, expanding vulnerability coverage and accelerating disclosure across vendors and platforms.

Known Exploited Vulnerability (KEV) Growth 

Known Exploited Vulnerabilities (KEVs) are software and hardware flaws that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed are actively being used in real-world attacks. Between 2024 and 2025, the KEV catalog expanded by approximately 20%, underscoring the growing pace of proven exploitation.

Vulnerability Management across the healthcare industry is fraught with complexity exacerbated by a landscape of changing exposure risk. Healthcare data, innovation, and patient care availability are all at risk when vulnerabilities can be exploited. 

Not all types of organizations across the healthcare ecosystem are the same. Clearwater’s report is the first of its kind that breaks down the trends broken out by healthcare market segments.

View the ups and downs of how healthcare organizations deal with all vulnerabilities month by month. Critical vulnerability finding trends show how these contribute to the running exposure risk in healthcare.